Vmyths.com

Hoaxes, myths,
urban legends

Columnists


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

As read by the author

VB2002 part 5: beach balls and worst-case scenarios

As read by the author Rob Rosenberger, Vmyths co-founder
Friday, 10 January 2003

[continued from part 4:
Crush the Internet in
a matter of minutes
]
[Editor's note: it will help if you start at part 1 of this multi-part series.]

As read by the author (MP3) SOMEONE NAMED FREDERICK spoke up at the VB2002 speakers' panel. He blabbed of a well-known decade-old oft-described world-devouring theoretical {yawn} worst-case-scenario computer virus now called a flash worm:

Someone named Frederick warned cyber-terrorists can inflict a "worst-case scenario" with today's tech­nology.

Listen to VB2002 hysteria

06:23 Frederick (no last name, unknown affiliation):
Now, I was thinking about the-- how likely an attack of that type would be, and I was kind of wondering about the worst-case scenario. And the scary part, (what do they call it?), is that all the [unknown] really need for a worst-case scenario already exist. All the techniques exist. Just imagine the power. Something using a L0pht [unknown], or a [unknown] of some type, spreading extremely rapidly like Code Red did. It may be [unknown] to imagine that does. Also, the thing that is being distributed is for some reason extremely hard to detect, and so that the antivirus companies cannot respond within five minutes or ten minutes like they can do for the usual pests, like, something like [unknown]. I mean, this really [unknown] might take us a day or two to, in theory, to respond. And if you put all of those nasty [unknown] together into one packet and release it — perhaps with some nasty purpose, perhaps with the purpose of shutting down the economy of the U.S. [unknown] or something like that [mild laughter], then we have a really, really bad scenario. And the scary thing is that this can happen with today's technology.

Antivirus firms "respond within five minutes or ten minutes ... for the usual pests," Frederick says? Waitaminit! Reactive antivirus firms like Symantec & Network Associates respond within 5-10 hours at best.

Let's recall a bit of trivia, shall we?

Network Associates discovered the Melissa virus in 1999 on a Thursday afternoon and they worked feverishly until the wee hours of Monday morning to release a workable antivirus patch — just to stop something written by a complete idiot, I might add. Network Associates then urged customers to stop producing work on PCs as a precaution months after a college student wrote the horrifying Chernobyl virus that physically destroyed 150 million PCs in 1999.

I could bore you to tears with similar stories about the ILoveYou virus, the Nimda virus, and tens of thousands of other "pests" you've never heard of. "Five minutes or ten minutes" sounds like a marketing pitch.

Once the vendor produces a workable antivirus update, it takes a few more hours to fire off a half-million email alerts. If panic ensues, antivirus firms could get swamped by their own customers and it'd take hours or days before everyone retrieved an update.


OKAY, NOW LET'S discuss Frederick's notion of a "worst-case scenario." What does it really mean at a security conference like VB2002?

What does "worst-case scenario" mean at a con­ference like VB2002?
Answer: it doesn't mean any­thing. The term remains undefined in the anti­virus world.

Answer: it doesn't mean anything. "Worst-case scenario" remains undefined to this day in the antivirus community. (Many things remain undefined in the antivirus community, but let's not digress.)

Longtime Vmyths readers know it behooves fearmongers to leave "worst-case scenario" undefined for marketing reasons. Why limit yourself to a boring formal definition when you can let your customers' imaginations run wild?

Virus Bulletin conferences deal with computer virus issues (as you would expect). I would therefore define a "worst-case scenario" at VB2002 as:

The complete & permanent destruction of computing & interconnectivity via (1) the nearly total global erasure of write-enabled storage media and (2) the nearly total global corruption of write-enabled firmware components.

In other words, the world's landfills would swell with useless desktop computers, laptops, servers, routers, 7ESS boxes, SCADA equipment, power grid switches, NAS devices, PDAs, nuclear reactor control panels — you name it. Almost all CAT5 cables would grow cold worldwide and almost all fiber optic cables would go dark. The U.S. and other first-world nations would plunge into economic martial law.

Let me quote White House fearmonger Richard Clarke in context: "the federal government needs a reconstitution plan" just to survive a worst-case scenario. Vesselin Bontchev (FRISK) warned the VB2002 speaker's panel that a worst-case scenario "may be sufficient to take down whole economies. And it will happen in the next 5-10 years."

However, I'll admit few of my colleagues would agree with the definition I gave you. "Why not, Rob?" Because few of my colleagues think about it, period. Let me explain.


IMAGINE A BEACH ball with "worst-case scenario" printed on it in large letters. Okay, now imagine you tossed it into a crowd.

Nobody really holds a beach ball for any length of time, do they? It just gets batted around. The game requires no thought, no strategy. I've got it, then you've got it, then she's got it, then he's got it. Some players spank it away; others will "set it up" like a volleyball player. Everybody wishes it will come to them. People soon lose interest and it sinks to the ground. A beach ball waits patiently for another crowd to come along...

My colleagues in the antivirus industry play with a "worst-case scenario" like you'd play with a beach ball. Nobody formally defines it, do they? It just gets batted around. The term requires no thought, no strategy. I've got it, then you've got it, then she's got it, then he's got it. Some people describe it as a virus outbreak; others will describe it as a buffer overflow exploit. Everybody wishes they can speak up. The experts soon lose interest and it sinks to the table. A "worst-case scenario" waits patiently for another crowd of experts...

Antivirus experts grow sour when you ask them to define "worst-case scenario." It takes all the fun out of the game.

Now you know why experts grow sour when you ask them to define "worst-case scenario." It takes all the fun out of the game.

The experts don't want to define a "worst-case scenario" — so I asked a woman who works across the hall from me at the Wellman [Iowa] Advance newspaper. Ranee Fladung shrugged her shoulders and said "I guess it would be that you can't use the Internet. It dies and it's gone and you can never access it again."

Her definition matches what many other non-experts express. If you say "worst-case scenario" to your grandmother, for example, she'll interpret it as the death of the Internet.

Ah, but most security experts will claim you can't really "kill" the Internet. They'll arrogantly dismiss Fladung's casual definition because she doesn't understand what she's talking about. (To which Fladung should respond, "then why don't you define it for us?")

Oddly, though, those same experts will dismiss my all-too-similar definition because it defies conventional beach ball wisdom. "If a beach ball pops, another beach ball will take its place. Likewise, if the Internet collapses, another Internet will take its place."

You'll find some interesting logic in this argument. Did the World Trade Center really "die" on 9/11/01 if another World Trade Center someday takes its place?

"Okay Rob, we see the logic. Do you subscribe to conventional beach ball wisdom?" Yes. Interconnectivity will never become a thing of the past.

Even if cave-dwelling cyber-terrorists destroy the Internet "in the next 5-10 years" — and even if its destruction "may be sufficient to take down whole economies" — it won't spell doom for the human race. Modern civilization, yes, but not the human race! Our descendents will someday reignite the fires of industry (although probably not in our lifetime). I honestly believe an Internet 2.0 will rise up from the ashes like a cyber-phoenix.

As such, you've got a decent "worst-case scenario" if you remove the word "permanent" from the definition I gave you.


"REMOVE THE WORD 'permanent,' Rob? Why did you stick it in there to begin with?"

If experts won't define "worst-case scenario," then we should force them to accept what the over­whelming majority of non-experts out there think it means.

I did it because I'm a critic. If the experts won't define it, then we should force them to accept what the overwhelming majority of non-experts out there think it means.

"You said most experts claim you can't kill the Internet. Who thinks otherwise?" White House fearmonger Richard Clarke, for one. (He's an expert only by title but let's not digress.) He equates an assault on the Internet to an assault on the American way of life. To hear him say it, the downfall of Internet v1.0 will trigger the downfall of United States v3.0 and Germany v58.1.

At this point you might wonder if the moderator "failed" to ask Frederick to define "worst-case scenario." I'll defend Carey Nachenberg here. Moderators want their panelists to do most of the talking — not some guy in the audience named Frederick. Nachenberg did a fine job as moderator and I'll leave it at that.

[Intermission:
Terrorists vow to
destroy the Internet
tomorrow
]

[Editor's note: second edition. This column was updated to correct a transcription error. Report any other transcription errors here. Rebuttals go here.]

''Osama bin Virus!'' comedy album

[second edition]

[continued in part 6:
Somebody finally asks
an obvious question
]

[Editor's note: This column was updated to correct a transcription error. Report any other transcription errors here. Rebuttals go here.]